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FIELD OF THE INVENTION 



m 

y:J This invention relates to systems and methods for controlling network 

f;;^ communications, and more particularly, to systems and methods that control access to 

1=9 particular content on a network. 

IIJ 
Q 

B BACKGROUND OF THE INVENTION 

11 Modem Internet communications allow a plurality of users to access 

12 multiple websites, or domains. A variety of information can be stored at the site and 

13 accessed, including multimedia content. In addition, one user can contact another user 

14 and refer the second user to a website address, through a link. The second user can 

15 then access the website directly, using the link provided by the first user. 

16 Some domains have secured content such as confidential financial data, 

17 provide content based upon viewship or ratings, and the like, and websites have 
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difficulty preventing an unauthorized user from obtaining the secure content intended 
to come from its original host or source location when the link to the secured content 
is forwarded by an authorized user who has the specific query train or syntax link to 
the secured or nested content. Known security systems address this problem by 
adding multiple layers of security such as additional log-ins or user inputs, which 
slows the system and ease of use as well as system performance. Thus, there is a need 
for improved systems and methods that maintain security of secured information on 
networks, even when a link is provided or is passed to unauthorized users. 

Content providers sometimes provide unique or specially prepared 
content for affiliates, syndicates, service providers, such as America Online, etc. Such 
content is only intended to be seen by users of those affiliates, etc., even though the 
content provider might have other content available on an unrestricted basis. 
However, such unique content can sometimes be viewed by nonusers of the affiliates, 
etc., when the links or URL*s for the related content are forwarded by a user of the 
affiliates, etc. Thus, there is also a need to control or channel access to website links 
to limit the use of predetermined content to users of particular content providers or 
hosts. 

Accordingly, one object of this invention is to provide new and 
improved systems and methods for controlling network communications. 

Another object is to provide new and improved systems and methods 
that control access to particular content on a network, particularly when links to 
content are passed from an authorized user to an unauthorized user. 



1 Yet another object is to provide new and improved systems and methods 

2 that limit the use of predetermined content to users of particular affiliates, syndicates, 

3 service providers, andother content providers. 

4 SUMMARY OF THE INVENTION 

5 A data communication system has a network and an originating domain 

6 or host through which stored or live media or content can be requested and retrieved. 



7 Access criteria for retrieving the content through a content distribution facility is 

.^^^ 8 specified by an originating domain administrator. Authorized users can satisfy the 

^ 9 access criteria, and unauthorized users cannot. The originating domain provides the 

m 

y;10 authorized user with a link to the content in the content distribution facility. Access to 

nj 

the content is controlled by allowing the authorized user to present to the content 

yX2 distribution facility the specified content request and the address of the specified 

nil3 originating domain content network location. The authorized user retrieves the 

Q 

J;?4 content through the content distribution facility only after properly presenting 



15 successful access criteria. 

16 BRIEF DESCRIPTION OF THE DRAWINGS 

17 FIG. 1 is a block diagram of a data communication system made in 

1 8 accordance with the present invention; 

19 FIG. 2 is a flow chart of the request redirection process; 
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1 FIG. 3 is a flow chart of the operation of the content requestor process; 

2 and 

3 FIG. 4 is a flow chart for analyzing user and content access criteria. 
4 

5 

6 DETAILED DESCRIPTION 

7 As seen in FIG. 1, a data communication system includes a network 10 

8 such as the worldwide web, known as the Internet, an intranet, which could be 

9 established within a company or the like, or any other network. A plurality of users 
Ip 12, 14, have access to the network, and a plurality of sites or domains 16, 17, 18, 

0:3 

11 provide media or content. In Fig. 1, the domains 16 and 17 provide content directly or 

ru 

12 through other domains, and could be websites operated by the National Broadcasting 

y 1 

Company (NBC®), its affiliates, syndicates, American On Line (AOL®), etc. The 

iU domain 18 is a content distribution facility that can be used by the domains 16, 17, as 

a 

H will be described. 

16 * In a typical system, the users 12, 14 have a device containing operating 

17 operating codes such as a host operating process 20, e.g., Microsoft Windows, Linux, 

18 or the like, and an Internet content display method 22, such as a browser. The 

19 browser allows the user 12 to access the domain 16, for example, and obtain content, 

20 which can be live or stored. The content provider 16 responds to a request for content 

21 with a text or binary file, described appropriately by a MIME tag, that typically 



22 includes a referring address or a URL link that redirect^ the user to the content. The 
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1 file also typically includes information about the content which is tj^ically stored or 

2 available through some content distribution facility 18. Thus, the file tells the 

3 requesting computer, i.e., the user, what type of content is being sent, so that the user's 

4 device can locate the content and render it properly. 

5 The content distribution facility 1 8 can be located at a different site firom 

6 the originating domain 16, or it can be contained within the domain or host process 

7 16. In addition, the content distribution facility 18 can be one or more than one 

8 physical facility, and could include sites or facilities around the world. 

9 The user 12 also has a browser-based multimedia player or content 

a 

||) requestor process 24, which is typically software codes or the like having the ability to 

SI interpret encoded messages fi-om originating domains, as well as viewing media as 

nj 

^ will be described. The user 14 also has a content requestor process 26, which in Fig. 1 

13 is configured to interpret requests in a different manner than the content requestor 

f4 process 24. The user 14 also has an Intemet content display method 28 and a host 

Q 

|;5 operating process 30. The differences between the content requestor processes 24, 26 

16 cause the user 12 to be an authorized user in the examples that follow, and cause the 

17 user 14 to be an unauthorized user in those examples. 

1 8 The manner in which requests firom the authorized user 12 a ^e redirected , ) 

19 firom the originating domains 16 or 17 to the content distribution facility 18 is 

20 described in more detail in Fig. 2. At S202, the user sends a media link (URL) over 

21 the network, causing the user's device to retrieve the content to which the URL refers. 

22 At S204, the originating domain generates a file (associated with the media requestor 
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1 process on the local host operating process) which includes all information needed to 

2 retrieve the requested media. As an additional measure to certify the request as 

3 authentic, a key based security communication could be included. At S206, the user 

4 12 checks the file received from the originating domain 16 for a user program 

5 association, through the content requester process 24. If there is no association, i.e., if 

6 the content requestor cannot interpret the redirection request, access to the content is 

7 denied at S208. If there is an association, i.e., the content requestor interprets the 

8 request and presents it to the facility 18 in an expected form, then the Intemet content 
^9 display system 22 accesses the link in the content distribution facility 18 at S2 10. 

IP The operation of the content requestor process 24 is shown in greater 

03 

1-1 detail in Fig. 3. At S302, the media requestor process 24 opens a requested file 
retrieved by the authorized user 12. At S3 04, the content requestor process 24 obtains 

13 an address (a URL or domain name link) fi"om the host operating process 20 or 

u 

M Intemet content display method 22. At S3 06, the content requestor process 24 may 

V5 hash or encrypt the URL using a key-based encryption method, if desired. SHAl is 

16 one example of such a key-based security method. 

17 At S308, the content media requestor process 24 requests the desired 

18 content using a referral URL with any appropriate Intemet protocol, such as HTTP or 

19 any other suitable network protocol. At S3 10, the content distribution facility 18 

20 decrypts the URL (if encrypted) received from the user, and determines whether the 

21 content can be retrieved from that source. If not, access is denied at S3 12. If the 

22 required access criteria is met, the content stream is delivered to the user at S3 14. 
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1 The invention has appHcation in several situations. For example, a 

2 domain (content provider) that provides public information, such as NBC^, may want 

3 certain content to only be accessed through a particular provider such as AOL®. In 

4 this example, NBC® is the referral domain, and AOL® is a referrer domain because 

5 AOL® refers its users to the designated content at the NBC® domain site. Applying 

6 this example to Fig. 1, the originating domain 16, such as NBC®' could provide public 

7 information and it might provide some content to be accessed only through the 

8 originating domain 17 (AOL®). In that event, the access criteria required by the 
-,,9 content distribution facility 18 would include the location of the originating domain 17 

li) (AOL®), as well as the originating domain 16 (NBC®). Thus, if an unauthorized user 

03 

$1 tried to directly access the NBC® content through the originating domain 16 (NBC®), 

1^ access would be denied because the location of the originating domain 17 (AOL®) 

it 

IJ would be missing. 

V4 As another example, the NBC® site could have both publicly available, 

1=3 

I'l unsecured information, and other information that is secured or controlled. In that 

16 event, NBC® would be considered a host. This configuration could be used, for 

17 example, if a national NBC® site, which developed national news, provided content to 

18 its affiliates in various cities throughout the country. Certain local news could be 

19 controlled so that a user could only reach that news through the website of a particular 

20 local NBC® affiliate. Conversely, the local affiliate would be required to Hnk and be 

21 granted access to the national news on the NBC® corporate website. In that event, the 
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1 local site would be the originating domain 17, and it would link to the originating 

2 domain 1 6, which would be the national news website of NBC®. 

3 In this manner, the originating domain 17 can syndicate the content of 

4 the originating domain 16, which means that domain 17 is merely linking to portions 

5 of the content in domain 16. The defined access criteria 34 of the domain 16 should 

6 include the location of domain 17, or a sub-domain of domain 17. 

7 As still another example, a site having confidential information could 

8 secure it using this invention. In that event, also, the site would be considered a host. 
S Applying this example to Fig. 1, the originating domain 16 would have both publicly 

f!| available, unsecured information, and secured information. If the user 12 requests the 

I 

111 secured content, originating domain 16 would send a link to the user 12, which would 

12^ not be understood by the Intemet content display method 20. The host operating 

13 process 22 would search for a program that understood the link, and would find it in 

m the content requested process 24. The user 12 would then direct that request to the 

j"5 content distribution facility 18, where the user would be recognized as an authorized 

16 user. In this example, the access criteria includes the content URL from the 

17 originating domain link, which is sent with the location of the user 12 to the facility 

18 18. 

19 The originating domain system administrator decides whether 

20 authorization should be based on the referrer domain or the host through a station 

21 manager administration interface 32. The system administrator can also decide 

22 whether access should be granted based on a list of authorized hosts or users, or a list 
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1 of unauthorized hosts or users. These decisions are stored in a multimedia database or 

2 the Defined Access Criteria Storage mechanism 34, and estabhsh the access criteria 

3 used to identify authorized and/or unauthorized users of particular content. 

4 When a request is received in the content distribution facility 18, the 

5 content distribution facility 18 determines the parameters or criteria set by the 

6 administrator for access, and determines whether access is authorized according to the 

7 access criteria. Referring to FIG. 4, the content distribution facility 18 starts the 

8 decision making process at S402. The system determines whether the administrator 
wants access to be allowed based on an authorized referrer domain list at S406. The 

1^ referrer domain list could be used for syndication, for example, and primarily 

Hi determine if the domain or URL location of the specific content item fi-om the user 

1^ matches a location on the list. If the list at S406 is used, the system determines 

si 

13 whether the referrer domain is in the list at S408. If not, the request is denied at S410. 

14 If the referrer domain is found on the list at S408, or if the administrator decided that 

Q 

tS an authorized referrer domain list is not to be used as access criteria for that content, 

16 then the system determines whether the administrator decided to use an authorized 

/ 

17 referrer domain list as access criteria at S412. If so, it is determined whether the 

18 referrer domain or network address is on the list at S414. If the referrer domain or 

19 network is on the list of unauthorized users, then the request is denied at step S410. If 

20 not, or if the unauthorized referrer domain list is not being used, the system proceeds 

21 to step S416, which refers to a reverse domain look up. 
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1 A reverse domain look up identifies the requesting user's domain or 

2 network by translating a network number to a network domain or network name. This 

3 could be used in the example above in which the NBC® content administrator limits 

4 access of some content to the AOL® network or domain. 

5 If the administrator decided that an authorized reverse domain list 

6 should be used at S4 18, it is determined whether the domain is in the reverse domain 

7 list at S420. If not, the request is denied at S410. If so, or if the authorized reverse 

8 domain list is not used, the system determines whether it is to use an unauthorized 

,9 reverse domain list at S422. If so, it is determined whether the requestor is on the 

C3 

lj| reverse domain list at S424. If so, the request is denied. If not, or if the unauthorized 

03 

lli reverse domain list is not being used, the request is granted at S426. 

nj 

Ij^ The user 12 is an authorized user because it has the ability to decode a 

13 unique file, described appropriately by its MIME type, that is provided for secured 

f4 information. The software, firmware or the like is specially provided to authorized 

P 

^ users. The software decodes the unique file, which includes the name and network 

16 location of the domain 18, and sends the request, which includes the domain 16, any 

17 related subdomains, and the source URL link of domain 16, to the domain 18. The 

18 domain 18 then sends the requested content to the user 12. 

19 The user 14 is an unauthorized user, and does not have the ability that is 

20 provided to user 12. In this case, if the user 14 requests content fi"om the domain 16, 

21 and the Intemet content display method 28 of user 14 passes the unique file to the 

22 operating system, the operating system, or method codes of user 14 will not 
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understand the file because it does not have the software, firmware or the hke, and the 
user 14 will not be able to access the content 18. 

In use, the station manager administrator sets the access criteria for 
particular content, as desired. As the originating domain 16 develops new content, the 
content is uploaded to the content distribution facility 18. Authorized users are 
provided with an appropriate content request or process 24, which interprets referral 
files returned from the originating domain 16 when the content is requested by the 
user. By referring requests into a hosted element, the content distribution facility 18, 
content cannot be easily passed to unauthorized users by forwarding links. The user 
12 can use an ordinary security method that may be already pre-existing between the 
user 12 and the originating domain 16, such as a typical log-in procedure. Through 
the referral to the content distribution facility 18, the user 12 presents the original 
source material and how it found the original source material from the originating 
domain 16, such that when properly presented to the content distribution facility 18, 
the request for content is granted. Without going through the referral process, though, 
the request is denied. In this manner, there are no additional log-in or security 
methods burdened on the user. Also, the originating domain content owner maintains 
control over access to the content. 

The many advantages of this invention are now apparent. Unauthorized 
use of links, including a mass emailing of URLs pointing to multimedia content, and 
the unauthorized use of specialized Intemet programming, is substantially prevented. 
Servers are not as likely to be overwhelmed with streaming media requests from 



unauthorized viewers, in the media or content as only viewed by its intended 
audience. Thus, this invention provides a value added service to content providers 
and allows them to develop rich multimedia content to a specified group, which 
cannot be easily tampered with or devalued in its presentation 

While the principles of the invention have been described above in 
connection with specific apparatus and applications, it is to be understood that this 
description is made only by way of example and not as a limitation on the scope of the 
invention. 
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